From 8132290895152288a331310f1f1196b00c394c3e Mon Sep 17 00:00:00 2001
From: Yauhenikapl <external.Yauheni.Kapliarchuk@de.bosch.com>
Date: Sun, 22 Feb 2026 16:38:26 +0300
Subject: [PATCH] Evaluate options to leverage SAST for GitHub action code

---
 .github/workflows/antora-build.yml |  8 +++++---
 .github/workflows/zizmor.yml       | 33 ++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/workflows/antora-build.yml b/.github/workflows/antora-build.yml
index 290366c6..a8746fd0 100644
--- a/.github/workflows/antora-build.yml
+++ b/.github/workflows/antora-build.yml
@@ -5,16 +5,18 @@ on:
     - main
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
 
     - name: Set up JDK 17
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e #v5.1.0
       with:
         distribution: 'temurin'
         java-version: '17'
@@ -24,7 +26,7 @@ jobs:
         ./mvnw -B generate-resources -Pantora
 
     - name: Deploy
-      uses: JamesIves/github-pages-deploy-action@4.0.0
+      uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f # v4.8.0
       with:
         branch: gh-pages
         folder: build/site
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 00000000..776606bb
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,33 @@
+#
+# Copyright (c) 2026 Robert Bosch Manufacturing Solutions GmbH, Germany. All rights reserved.
+#
+name: GitHub Actions SAST (zizmor)
+
+on:
+  pull_request:
+    branches: [ main ]
+  push:
+    branches: [ main ]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor (PR annotations)
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
+        with:
+          advanced-security: false
+          version: v1.22.0
+          annotations: true
+          persona: auditor
+          min-severity: medium